merick vega
2009-02-11, 19:54
I started having some issues with popups and slow responding apps a few weeks ago on my Windows 2003 server at home. This isn't a professional server by anymeans, I simply use it as a file server for storing pictures/music and downloading torrents from time to time. I have been able to remove some items that appeared to be spyware, but virtumonde.generic just won't go away.
Any help is appreciated, here is my hjt log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:54 PM, on 2/11/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\DynDNS Updater\DynUpSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServear.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: {9449} - {f46b8e2b-fc39-4bc7-bfa2-5d481a42aeca} - C:\WINDOWS\system32\jyvwujhi.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yaboporasu] Rundll32.exe "C:\WINDOWS\system32\japiyute.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [A00F20BDA923.exe] C:\WINDOWS\TEMP\_A00F20BDA923.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F25DB91AF.exe] C:\WINDOWS\TEMP\_A00F25DB91AF.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F263A2839.exe] C:\WINDOWS\TEMP\_A00F263A2839.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F301C8982.exe] C:\WINDOWS\TEMP\_A00F301C8982.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F242F58F.exe] C:\WINDOWS\TEMP\_A00F242F58F.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FD15C39C.exe] C:\WINDOWS\TEMP\_A00FD15C39C.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF42EF4B.exe] C:\WINDOWS\TEMP\_A00FF42EF4B.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F11C295E7.exe] C:\WINDOWS\TEMP\_A00F11C295E7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F11F6618C.exe] C:\WINDOWS\TEMP\_A00F11F6618C.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F11FC3FDD.exe] C:\WINDOWS\TEMP\_A00F11FC3FDD.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F172D1061.exe] C:\WINDOWS\TEMP\_A00F172D1061.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F1BE719E9.exe] C:\WINDOWS\TEMP\_A00F1BE719E9.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00F20BDA923.exe] C:\WINDOWS\TEMP\_A00F20BDA923.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DynDNS Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://my.csmauto.com
O15 - ESC Trusted Zone: http://mozilla.isc.org
O15 - ESC Trusted Zone: http://mozilla.jiddernet.se
O15 - ESC Trusted Zone: http://mozilla.mirror.ac.za
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://internap.dl.sourceforge.net
O15 - ESC Trusted Zone: http://cache1.vuze.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://ftp.cse.yzu.edu.tw
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1104564532250
O20 - Winlogon Notify: fccaAqnL - fccaAqnL.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DynDNS Updater - Unknown owner - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
--
End of file - 6868 bytes
Any help is appreciated, here is my hjt log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:54 PM, on 2/11/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\DynDNS Updater\DynUpSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServear.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: {9449} - {f46b8e2b-fc39-4bc7-bfa2-5d481a42aeca} - C:\WINDOWS\system32\jyvwujhi.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yaboporasu] Rundll32.exe "C:\WINDOWS\system32\japiyute.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [A00F20BDA923.exe] C:\WINDOWS\TEMP\_A00F20BDA923.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F25DB91AF.exe] C:\WINDOWS\TEMP\_A00F25DB91AF.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F263A2839.exe] C:\WINDOWS\TEMP\_A00F263A2839.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F301C8982.exe] C:\WINDOWS\TEMP\_A00F301C8982.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F242F58F.exe] C:\WINDOWS\TEMP\_A00F242F58F.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FD15C39C.exe] C:\WINDOWS\TEMP\_A00FD15C39C.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF42EF4B.exe] C:\WINDOWS\TEMP\_A00FF42EF4B.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F11C295E7.exe] C:\WINDOWS\TEMP\_A00F11C295E7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F11F6618C.exe] C:\WINDOWS\TEMP\_A00F11F6618C.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F11FC3FDD.exe] C:\WINDOWS\TEMP\_A00F11FC3FDD.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F172D1061.exe] C:\WINDOWS\TEMP\_A00F172D1061.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00F1BE719E9.exe] C:\WINDOWS\TEMP\_A00F1BE719E9.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00F20BDA923.exe] C:\WINDOWS\TEMP\_A00F20BDA923.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DynDNS Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://my.csmauto.com
O15 - ESC Trusted Zone: http://mozilla.isc.org
O15 - ESC Trusted Zone: http://mozilla.jiddernet.se
O15 - ESC Trusted Zone: http://mozilla.mirror.ac.za
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://internap.dl.sourceforge.net
O15 - ESC Trusted Zone: http://cache1.vuze.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://ftp.cse.yzu.edu.tw
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1104564532250
O20 - Winlogon Notify: fccaAqnL - fccaAqnL.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DynDNS Updater - Unknown owner - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
--
End of file - 6868 bytes